... by allowing .rdata to be a table.  Larger RRsets seem useful.

- use parser-detected $ORIGIN instead of looking at SOA owner
- skip records outside $ORIGIN (and warn) instead of nesting them
- simplify a bit, and tweak warnings

Also utilize table indexing.
This was a "regression" from extending RPZ support in 5.1.0.
NS and SOA are even mandatory, as RPZ is supposed to be a valid zone:
https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00#section-2

Some rules need it and it was nil until now.

DENY, DENY_MSG, DROP, REFUSE and TC will now clear the _selected RRs.
I believe that's what people usually expect of these actions anyway.

This new approach uses per-request variables in Lua and creates new
callback for each DEBUG_IF call instead of each request.

It creates new callback functions for every request which
uses "callback chaining" but these should be rare.

It seems there is no reason to keep this function private in policy
module.

DEBUG_IF accepts user-supplied function which decides which requests
should be logged.

Attempt to avoid duplicating ten lines in debug_logfinish_cb lead me
to splitting kr_log_qverbose_impl into two functions kr_log_q and kr_log_req.
This is another minor change to API exposed to modules.

Formerly both logs used slightly different formats and duplicated code.
From now on verbose log and request tracing are generated using the same
code.

This required a small change to request trace_log_f definition so it
might affect external modules.

Petr Špaček authored 5 years ago and Vladimír Čunát committed 5 years ago

These files did not have GNU GPL v3 boilderplate in them so
I've added machine readable tag with appropriate license.

In finish() phase DONE is (almost?) always set, so it didn't make sense.
The mistake came from c16728f5 !678.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

Running the full special-domain checks is relatively expensive.

I've never seen anyone use postrules.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

Some of these DENY rules are perhaps unnecessary, but for now we keep
the same approach.  For arguments see the MR 855 thread and linked ML.

Thanks to changes in this branch the functions are called with correctly
typed parameters already, so these weird casts can be deleted.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

"Unfortunately", for FFI-bound C functions there it doesn't hold that
missing parameters would be converted to nil/NULL.
Still, this function seems unlikely to have been used outside the repo.

and deduplicate the parsing logic.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

It's mainly about the way we parse and validate them.

Almost all of the parts of validation that were being done
in modules/policy/policy.lua and daemon/tls.c got moved
to daemon/bindings/net.c, so it's easier to follow that.
Also more checks are being done now, e.g. contents of .pin_sha256
and .hostname strings.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

In https world it's standard to do that, and it's relied on.
Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
if we don't send SNI (no idea why; also they do send it with TLSv1.2).

As a consequence, we no longer allow multiple hostnames per
address-port tuple, but that didn't seem useful.

- logging
- watch by default
- in Fedora we need to depend on the version for lua 5.1

Jonathan Coetzee authored 6 years ago and Vladimír Čunát committed 6 years ago

vcunat squashed this, rebased, etc.